The role of HIPAA Security Officer is very important in maintaining compliance. In smaller organizations, there's overlap in employees' roles, so the person that ends up as the HIPAA Security Officer may not have a whole lot of background in compliance. Does the individual serving in this role face more personal liability for breaches than other employees?

Asked our company's lawyer and pretty much got the same answer. Though I admit "I can tell you that it hasn't happened yet" wasn't as reassuring as I'd hoped.
–
John StrakaOct 14 '11 at 12:21

3

@JohnStraka Professional liability from a company officer usually requires inappropriate ignorance of conditions or malice. If you made the best reasonable efforts, you ought to be in a sound position.
–
Jeff Ferland♦Oct 26 '11 at 23:05

Unfortunately, I think the question is currently moot. While I think HIPAA compliance is important, enforcement is still non-existent.

Franken noted dryly that 64,000 privacy complaints have been filed with the OCR—and that nearly 500 were referred to the Justice Department for criminal investigation. But the Justice Department told his staff, Franken said, there have been just 16 HIPAA criminal prosecutions. Meanwhile, HHS had secured only one civil monetary penalty and six settlements, he said.

Does the individual serving in this role face more personal liability for breaches than other employees?

Disclaimer: I am not a lawyer, but I have been through several rounds of HIPAA training.

Is a HIPAA security officer automatically liable for a breach? No. If the security officer has done due diligence, the proper safeguards are in place, and some malicious user goes and sells a celebrity's health information to a paparazzi anyway, it seems doubtful that the security officer would be named in any resulting lawsuit. Even if they were named, they've done their job and should have nothing to fear.

But is a HIPAA security officer exposing him/herself to more potential liability than the average employee? Maybe. By taking on the responsibility for this area, it's possible that they might face some form of liability if they are negligent in the safeguards they put into place or the training of others. (Though as @John Straka pointed out, I've never heard of it happening.)